The E.U. updates Personal Data Protection

The Protection of Personal Data, currently regulated by Directive 95/46/EC, and in Spain by Law 15/1999 of December 13, and its implementing regulations RD 1720/2007 of December 21, is already a widely known rules but not respected enough still pretty significant percentage.
New technologies, globalization, the Internet, the emergence of social networks: Facebook, Twitter, Linkedin, Cloud technologies, smartphones, and others, have created a new operational context and relationships, that current legislation does not provide adequately to these new scenarios, so that introduce elements of uncertainty and insecurity in the correct legal compliance by businesses and government’s, and all other entities for profit or nonprofit to which it applies.
On the other hand, the different national laws transposing the Directive have been very different in their content, creating a context of dispersion difficult to protect the rights of citizens in a uniform manner throughout the EU.
The EU is aware of this problem and for a couple of years been developing a series of actions to revise the rules, having opted for a Regulation rather than an update of Directive 95/46/EC. This decision is very important as the Regulation is directly applicable throughout the EU, so that the time of entry into force is considerably reduced.
The latest draft Regulation is of Nov-11, entitled “Regulation of the European Parliament and of the Council on the protection of Individuals with Regard to the Processing of Personal Data and on the free movement of Such Data (General Protection Regulation) “. Approval is expected in the first months of 2012 and enacted before the end of 2012. The estimated schedule may vary.
This new regulation E.U. contains several interesting developments, we will summarize briefly:
- The Security Forces and the Courts are out of this Regulation. For them is drawn up a specific Directive.
-  It is quite likely to remove the requirement to notify an Administrative Record File as it exists today in Spain. Although, in conversations with people with insight in the administration is not clear whether in Spain finally apply, by the application of transparency principle, citizen access, and to facilitate the exercise of rights by citizens.
-  Clarifying and defining the ways of giving consent. Not permitted presumed or the alleged tacit.
- Define and expand the categories of data. It expands the necessary information to include in the information terms/wording in the data collection.
-  Included a new right: “Right To Be Forgotten”.
- It regulates the production of profiles, or segmentation based on behaviors. You may not make profiles of minors. Minor is defined by the “UN Convention on the Rights of the Child”
- It clearly introduces the concept of “responsibility”, “due diligence” and the obligation to maintain test load of the correct application of the regulations.
- Very Important: In case of loss, theft, hacking, or any other circumstance that allows data to be accessed or disclosed to unauthorized personnel, we introduce the obligation to notify the fact to the authority of each country (in Spain the Spanish Agency for Data Protection) and to affected persons within 24 hours after discovery.
- It regulates direct marketing and advertising, and as you can do: express consent.
- For certain treatments (including video surveillance, minor, biometric, genetic,…) will require an Impact Assessment on the protection of personal data. Impact reports shall be public.
- Introduced and regulating the figure of DPO-Data Privacy Officer for companies of 250 employees or more. The figure of D.P.O. will be mandatory for all Public Administrations. The figure of the DPO must have sufficient knowledge and experience in Data Protection.
- Relations are regulated between Data Controller /Data Processor, clarifying responsibilities. Assigns Responsibility for the choice of Data Processor, and assigns accountability for due diligence in ensuring compliance with the Regulation.
- Are introduced directly into the text and legal concepts the “PrivacyByDesign” and “PrivacyByDefault.” These concepts are urged to introduce attention to the protection of personal data from the initial design of operations and treatments, and that must be enabled by default on the mechanisms of privacy protection.
- Regular Reports mandatory by law for the entities, ie: Annual Audit of Accounts, or others required for societies or entities, must include a specific section on personal data protection compliance and the risks involved.
- Allow organizations, associations or other entities to make complaints on behalf of those affected.
- PENALTIES: It establishes three levels of sanctions, according to their effectiveness, proportionality and deterrence:
1. € 100.00        to           € 300.00, or up to 1% of its global turnover
2. € 500.00        to    € 600,000.00, or up to 3% of its global turnover
3. € 100,000.00 to € 1.000.000,00, or up to 5% of its global turnover
The Regulation is much denser, but generally these are the most relevant news. Deduced from these changes will be needed many actions to adapt to this Regulation, for example:
1.    You need to change ALL the wording of information clauses, on paper and on-line.
2.    You MUST review and update the consents received.
3.    It will be necessary to revise and adapt all third-party treatment contracts.
4.    All the required documentation will be maintained with extreme care and diligence.
5.    It shall appoint a D.P.O., internal or external, where required, however for less than 250 employees will be a good practice to appoint one to show diligence.
6.    It must notify the National D.P. Authority in 24 hrs the theft, loss or hacking of personal data.
7.    It should establish policies, procedures and processes specific to the implementation of these regulations, and to demonstrate due diligence in compliance.
There are others who do not fit in the scope of this paper. The conclusion is that the EU is serious about protecting the right to protection of personal data and is determined to be applied uniformly across the EU, so that all affected entities would do well to prepare in advance in compliance.
External consulting should be made by companies of recognized standing, training and experience in data protection, to avoid the risks of incomplete or incorrect application of the rules.
For any additional information are available at www.legitec.com – 902 22 5673.
Vicente Moncholí Cebrián – Director – MCA Consultores® – Legitec® vmoncholi@mcaconsultores.com